Community Auth Add User Registration Error

   
[attachment=776]

If an unregistered user is attempting to login, Community Auth will never tell them that there is no email or username matching their attempt. This is by design, and in most authentication libraries considered normal, as it is pretty standard practice to reveal as little information as possible during a failed login attempt. Somebody can obviously use Community Auth's user recovery feature, but even that limits the amount of recovery requests before locking the recovery page, the theory being that you don't want somebody just hammering away at that so they can figure out the email addresses of your users.

Community Auth is years in the making, and every feature considered and reconsidered. Unless I'm wrong about what you're attempting to do, you're making a uninformed observation as to what is desirable.

Other things to know is that if the login is locked, the recovery is locked. If recovery is locked, the login is locked.

I was saying that it would be nice to distinguish them (its not a bug, but a feature request), I attached the facebook login screen shot if tying the wrong user account, it would be much clear what the user did wrong. I think its very common for people typing one or two wrong letters if typing too fast. It can be made either on username or password. However, when users saw invalid username or password error, the first intuition he may come to his mind is typing the wrong password. (he might keep trying different password combination, because he might have so many passwords on different website, he couldn't figure which one is for which site.)

Plus displaying different login errors won't affect current logic at all, everything remains the same, still N attempt failed login before being locked. It just tell the regular users who may have many account/password, like me, you used the wrong username, it is not registered, or the password doesn't match with the record, please retry with caution (u only have 5 chances), or recover the password.

At last, if the user is not registered in the database, what do we want to recover for? why not return false at the beginning, and display with the different error message, no need to proceed the same routine check.

This is just my personal option, again, this is not a bug.
For me, its would be first thing to meet with the regular subscribed user experience, before thinking of the security hole.
If someone works for a company(not self employed), maybe the company had it own NGFW firewall device, these security issues can be left to it. It would be easier to prevent from much more brute login attempt.